Certificate Authority

1. A computer-implemented method, comprising: obtaining, at a certificate management service that implements a plurality of private certificate authorities, via an application programming interface accessible via a computer network, a first request to implement a private certificate authority; causing the certificate management service to allocate a set of computing resources; causing the set of computing resources to implement the private certificate authority; obtaining, at the certificate management service via the application programming interface, a second request to generate a digital certificate; authenticating a requester associated with the second request; selecting, based at least in part on an identity of the requester, the private certificate authority from the plurality of private certificate authorities; causing the private certificate authority to generate the digital certificate in accordance with the second request; providing, to a hardware security module accessible by the private certificate authority, an encrypted version of a private key of the private certificate authority, the encrypted version of the private key provided to the private certificate authority with the second request and encrypted by the certificate management service with a master key accessible to the hardware security module; signing, using the hardware security module, the digital certificate with a digital signature using the private key of the private certificate authority to generate a signed digital certificate; and providing the signed digital certificate via the application programming interface.

2. The computer-implemented method of claim 1 , wherein: the requester is an application running on a client computer system; the requester is authenticated based at least in part on a digital signature of the second request; and the second request includes a time stamp that determines when the second request expires.

3. The computer-implemented method of claim 1 , wherein: the private key of the private certificate authority is stored in the hardware security module; and the digital signature of the digital certificate is generated by the hardware security module.

4. The computer-implemented method of claim 1 , wherein the requester provides information identifying the private certificate authority to enable selection of the private certificate authority from the plurality of private certificate authorities.

5. A system, comprising: one or more processors; and memory to store computer-executable instructions that, if executed, cause the system to: obtain, via an application programming interface, a first request to create a private certificate authority; allocate a set of computing resources; configure the set of computing resources to implement the private certificate authority; obtain, at a certificate management service, from a requester, via the application programming interface accessible via a computer network, a second request to generate a digital certificate; select, based at least in part on the requester, the private certificate authority from a plurality of private certificate authorities implemented by the system; cause the private certificate authority to generate the digital certificate in accordance with the second request; cause a hardware security module to obtain an encrypted version of a private key that corresponds to the digital certificate, the encrypted version of the private key provided to the private certificate authority with the second request and encrypted by the certificate management service with a master key accessible to the hardware security module; cause the hardware security module to sign the digital certificate with a digital signature using the private key to generate a signed digital certificate; and provide the signed digital certificate via the application programming interface.

6. The system of claim 5 , wherein the second request includes information that allows the system to access the private key.

7. The system of claim 5 , wherein the private certificate authority is selected from a plurality of certificate authorities based at least in part on information provided with the second request.

8. The system of claim 5 , wherein the computer-executable instructions further cause the system to: determine that the digital certificate is within a threshold amount of time from expiration; renew the digital certificate by at least causing the private certificate authority to generate a new digital certificate; sign the new digital certificate based at least in part on the private key; and provide the new digital certificate to the requester.

9. The system of claim 5 , wherein the computer-executable instructions further cause the system to: obtain, via the application programming interface, a third request to revoke the digital certificate; and add a serial number of the digital certificate to a certificate revocation list.

10. The system of claim 5 , wherein the computer-executable instructions further cause the system to authenticate the requester by verifying a digital signature of the second request, the second request including a timestamp that limits a period of validity for the second request.

11. The system of claim 5 , wherein the computer-executable instructions further cause the system to: acquire the private key associated with the digital certificate; encode the private key with a password to generate an encoded private key; and export the encoded private key to computer readable storage outside the hardware security module.

12. The system of claim 5 , wherein the computer-executable instructions further cause the system to: obtain, via the application programming interface, a third request to generate a subordinate certificate authority to the private certificate authority; and allocate a second set of computing resources to instantiate the subordinate certificate authority.

13. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: obtain, from a requester, via an application programming interface accessible via a computer network, a first request to generate a private certificate authority; cause computing resources to be allocated to implement the private certificate authority; obtain, from the requester, via the application programming interface accessible via the computer network, a second request to generate a digital certificate; select, based at least in part on the requester, the private certificate authority from a plurality of private certificate authorities implemented at least in part by a certificate management service; cause the private certificate authority to generate the digital certificate in accordance with the second request; acquire a digital signature associated with the digital certificate by providing a hardware security module with an encrypted version of a private key associated with the digital certificate to cause the hardware security module to sign the digital certificate using the private key, the encrypted version of the private key provided to the private certificate authority with the second request and encrypted by the certificate management service with a master key accessible to the hardware security module, the hardware security module storing the master key that allows the encrypted version of the private key to be decrypted; and provide the signed digital certificate via the application programming interface.

14. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to: provide the encrypted version of the private key to the hardware security module; and cause the hardware security module to decrypt the encrypted version of the private key, and generate the digital signature associated with the digital certificate.

15. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to authenticate the second request based at least in part on a signature of the second request.

16. The non-transitory computer-readable storage medium of claim 13 , wherein: the second request includes a template that describes a restriction on a subject of the digital certificate; and the digital certificate is generated in accordance with the restriction.

17. The non-transitory computer-readable storage medium of claim 13 , wherein the second request is a certificate signing request.

18. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to: obtain a third request to generate a subordinate certificate authority; and allocate a set of computing resources to instantiate the subordinate certificate authority to the private certificate authority.

19. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to: determine that the digital certificate has expired; and acquire a renewed digital certificate from the private certificate authority.

20. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to record generation of the digital certificate and use of the private key in an audit log.